chungking - Fotolia

CNI providers face hefty fines for cyber security failings

UK providers of critical national infrastructure face hefty fines for cyber security failings from 10 May 2018

New UK laws implementing the EU directive on the security of network and information systems (NIS) goes into effect on 10 May 2018.

All organisations classified by the NIS Competent Authorities to be “operators of essential services” will be affected by new laws.

The new rules are aimed at ensuring the UK’s most critical industries boost cyber security and are backed by hefty fines for any organisation in the sector that fails to take adequate steps to protect itself from cyber attacks.

Energy, transport, water, health and other critical services firms could be fined up to £17m if they fail to have the most robust safeguards in place.

The new measures also cover other threats affecting IT, such as power outages, hardware failures and environmental hazards.

In 2017, the Department for Digital, Culture, Media and Sport (DCMS) ran a public consultation seeking views from industry on how to implement the NIS Directive.

Organisations that fall under the new rules are required to report cyber security incidents to the appointed competent authorities, who will assess whether appropriate security measures were in place.

Read more about the NIS Directive

  • With cyber crime on the rise, the European Union is trying to fight back with its NIS Directive.
  • Coming European legislation on network and information security could have cost and organisational implications for a range of UK companies.
  • EU legislators and member states agree a text for new cyber security rules that will introduce mandatory data breach notification.
  • The EU data notification law will mean most UK organisations will have to change their approach to data breaches, according to legal firm Olswang.

The authorities will have the power to issue legally binding instructions to improve security and – if appropriate – impose financial penalties.

The UK’s National Cyber Security Centre (NCSC) is providing technical support and guidance to other government departments, devolved adminstrations, competent authorities and OES through a set of cyber security principles for securing essential services, a collection of supporting guidance and a Cyber Assessment Framework (CAF) incorporating indicators of good practice.

The NCSC is also providing implementation guidance and support to CAs to enable them to adapt the NIS principles for use in their sectors, undertake assessments using the CAF and interpret the results.

The NCSC will fulfil the role of a CSIRT (computer security incident response team) for the UK, as well as a single point of contact for engagement with EU partners on NIS, coordinating requests for action or information and submitting annual incident statistics, and function as the technical authority on cyber security for CAs and OES, but will have no regulatory role.

“The magnitude, frequency and impact of network and information system security incidents is increasing,” according to guidance published by the NCSC.  

“Events such as the 2017 WannaCry ransomware attack, the 2016 attacks on US water utilities and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have,” the guidance said.

NIS Directive critical for essential services

Charlie Wedin, cyber security expert at international legal practice Osborne Clarke, said the NIS Directive will be critical to ensure essential services in the UK remain “on” during even the most extreme cyber attacks.

“In recent years, the number of cyber attacks against national infrastructure has risen dramatically, and this demonstrates just how attractive these systems have become to malicious actors looking to target any vulnerable points in the system.

“The consequences on society can be significant – preventing access to power, transport and emergency services. Recognising the importance of digital services in today's society, the directive also applies to online marketplaces, search engines and cloud storage.

“So, while the NIS Directive has been somewhat overshadowed by the General Data Protection Regulation, operators of essential services must ensure they are prepared to deal with both regulations,” he said.

Wedin suggests that organisations should test their security measures with realistic “war game” simulations to identify and rectify potential weaknesses proactively.

Read more on Hackers and cybercrime prevention